Not Just a Game Anymore



This is a followup to a previous article titlted Is it worth it? Dispelling the myths of law enforcement and hacking, released on November 22, 1999 via Hacker News Network.

Included with this article are several sanitized copies of various documents pertaining to computer crime investigations. Names, dates and locations have been changed.

Some of the information in this article may be a bit redundant from the last article, but is done in order to present a self standing article that is as complete as possible. Some of the links to agency homepages have been changed to point to their true home page, not just the system hosting the page.

        More on Search and Seizure
                The Search
                The Seizure
        Statute of Limitations
        What exactly is illegal?
        More on Punishment

        Investigating Agencies
                Federal Bureau of Investigations (FBI)
                Defense Criminal Investigative Service (DCIS)
                NASA Office of the Inspector General (NASA OIG)
                Naval Criminal Investigative Service (NCIS)
                U.S. Army Criminal Investigation Command (USACIDC)
                Royal Canadian Mounted Police (RCMP)
                Defense Computer Forensic Laboratory (DCFL)

        Appendix and Additional Information
                A - Search and Seizure Warrant
                B - Search and Seizure Warrant, Attachment A (apartment)
                C - Search and Seizure Warrant, Attachment A (colocated machine)
                D - Search and Seizure Warrant, Attachment C
                E - Warrant for Arrest>
                F - Indictment
                G - USDOJ Press Release  


More on Search and Seizure

Before any Law Enforcement (LE) officer/agent may step foot in your place of living, they must obtain a search warrant that gives them explicit permission to do so. The warrant will list the physical address of the premises to be searched, a description of the establishment, a time frame for the search and seizure, and a list of acceptable material that may be seized. The warrant is likely to be issued by your District Court to the agent in charge of the investigation.

Rather than explain each part of the search and seizure warrant, I have included a sanitized vrsion of one with this article. From my experience and communication with others, the warrant included can be taken as a very typical and standard version used throughout the U.S. Appendix A includes the first page of the warrant which details the premisis to be searched, dates, who will conduct the seizure and more. Appendix B is a copy of Attachment A which is a wordy description of the premises to be searched. Appendix C is a copy of Attachment C which lists all material covered under the search and seizure guidelines.

Appendix A - Search and Seizure Warrant
Appendix B - Search and Seizure Warrant, Attachment A (apartment)
Appendix C - Search and Seizure Warrant, Attachment A (colocated machine)
Appendix D - Search and Seizure Warrant, Attachment C

Some notes and observations about the material contained in Appendix A. Outlined on the warrant, the agents may conduct the search and seizure either between the hours of 6:00am - 10:00pm, OR "at any time in the day or night as I find reasonable cause has been established". One of the two options should be struck through and initialed by the Judicial Officer. Also included is a date that the search must be executed by.

The Search

Being subjected to an FBI search and seizure is an interesting experience to say the least. No official wording on any warrant can come close to explaining the experience. Typically arriving at your residence between 6:00 and 8:00am, almost a dozen agents are ready to toss your apartment to fufill the warrant. After being greeted at gunpoint and your residence secured, the agents will mark each room with a postit note and number. These numbers correspond to the receipt they leave you detailing what material was taken from each room.

In keeping with standard search and seizure practice, not much is left unturned. Some of the places you can expect the agents to search:
If this does not help paint a picture that agents are rather thorough, let me clear it up. They are quite thorough. Do they find everything? Not all the time. In some cases agents even miss items out in the open that they might normally take. To balance this, they almost always take a considerable amount of material that is completely irrelevant or esoteric.

For the most part, you can also dismiss any notions you may have about hiding items before the raid. When they knock on the door, they will not give you time to do anything short of opening the door and complying with their demands. If they have any idea that you may be destroying evidence, they are empowered with the ability to forcibly enter your residence, physically detain you, and carry on.

The search and seizure will not be short by any means. You can expect it to last anywhere from a few hours to a full day. During this time you will be questioned by a number of agents regarding anything and everything they might think to ask. I don't know if it is intentional and designed to throw you off, but they may ask extremely bizarre questions that lead you to wonder about their intelligence. During this questioning do one of two things.
Lying to law enforcement agents may seem like a clever thing to do at the time, but it is much more likely to hurt you in the long run. If caught in a single lie during questioning, it will further encourage the agents to question you more. They also have the option of charging you with obstruction of justice if so inclined. When an agent gets it through their head that you are guilty, bad news for you regardless of your guilt or innocense.

It is extremely important that you realize your rights. UNDER NO CIRCUMSTANCE do you have to answer questions without the presence of your lawyer. No matter what the LE agent says, suggests, or implies, this is a fundamental right. In many cases, raid victims are not being charged with a crime. Because of this, their rights are not read to them. Just because you aren't under arrest does not mean those rights are waived! The courts have recently found that police can be sued if they discourage raid victims from consulting a lawyer. More on this ruling can be found in this Washington post article.

The Seizure

What can LE Agents take from you? EVERYTHING. You can't argue about it either. While they may take material that is not explicitly covered under the warrant and may later be forced to give it back to you, that doesn't help you when they are rummaging through your house. Re-read the list of material that are covered under Attachment C again and think about how broad it is.

It is safe to say that absolutely anything remotely computer related is covered under the warrant. There are a few things that are also covered under the guidelines that tend to surprise people when confiscated.



Statute of Limitations

Another often asked question is how long the feds can investigate you. As long as they want. For most cases, LE can investigate a crime for up to five years after it was committed. This is known as the Statute of Limitations and means how long they can investigate and press charges against you for the crime. Hypothetically that is. If the crime is serious, several agents have assured me that the U.S. Government will find a way to stretch that timeframe.

Regardless, if the agents have not made a case against you, the government attorney's will not press charges. Even so, you can expect them to hold onto any seized equipment until the conclusion of their investigation. If they go so far as seizing equipment and not pressing charges, you can expect to get your stuff back 1,825 days after it was taken, just to spite you.


What exactly is illegal?

Thanks to the vague (or was it intentional?) wording of the Title 18 laws, several actions you may consider harmless could fall into murky legal territory. As a DCIS agent recently said in a conversation about the last article, "Even if you telnet to a machine and type anything in, that can be attempted intrusion!". As fascist as that may sound, it is true. Any activity or connections to a remote machine without authorization may be illegal. Because it is partially based on intent and partially based on your activities, this is still somewhat uncharted territory. While it is highly unlikely you will be charged for portscanning a machine, repeated poking at an open port could be enough to spark interest in your activities.

Another term often used by agents and lawyers is "illegal access device" (IAD). What has turned into another all encompassing term, this can be used for a wide variety of things in a case against you. Some of the few things that fall into this category:
Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you. When federal agents hold up to a thousand felony charges over your head, it is often enough to make you want to cut a deal. This is one reason that strong encryption is the friend of hackers.


More on Punishment

The punishment for hacking crimes is growing. Convicted hackers five years ago could expect a light slap on the wrist, a few hours of community service, and not much else. These days, a single felony count of computer hacking can lead to 15 months in jail along with restitution in the tens of thousands of dollars.
Looking at a verbose list of restrictions placed on Kevin Mitnick, examine them closely and consider what they really entail.

While the following restrictions may not be applied to every case, consider that they have been applied to one convicted hacker. Further consider that as such, these restrictions may be used as case law in future court hearings. The following restrictions are taken from a larger document concerning Kevin Mitnick and the restrictions.

http://www.kevinmitnick.com/081898writ.html#release_conditions
A. Absent prior express written approval from the Probation Officer, the
Petitioner shall not possess or use, for any purpose, the following:

    1. any computer hardware equipment;

    2. any computer software programs;

    3. modems;

    4. any computer related peripheral or support equipment;

    5. portable laptop computer, 'personal information assistants,'
       and derivatives;

    6. cellular telephones;

    7. televisions or other instruments of communication equipped with
       on-line, internet, world-wide web or other computer network access;

    8. any other electronic equipment, presently available or new
       technology that becomes available, that can be converted to
       or has as its function the ability to act as a computer system
       or to access a computer system, computer network or
       telecommunications network (except defendant may possess a
       'land line' telephone);

B. The defendant shall not be employed in or perform services for any
   entity engaged in the computer, computer software, or
   telecommunications business and shall not be employed in any capacity
   wherein he has access to computers or computer related equipment or
   software;

C. The defendant shall not access computers, computer networks or other
   forms of wireless communications himself or through third parties;

D. The defendant shall not acts as a consultant or advisor to individuals
   or groups engaged in any computer related activity;

E. The defendant shall not acquire or possess any computer codes (including
   computer passwords), cellular phone access codes or other access devices
   that enable the defendant to use, acquire, exchange or alter information
   in a computer or telecommunications database system;

F. The defendant shall not use any data encryption device, program or
   technique for computers;

G. The defendant shall not alter or possess any altered telephone,
   telephone equipment or any other communications related equipment.
For a period of THREE years, being subjected to these restrictions. Not only does your primary hobby go away, your means for stable income are at serious risk. Think of every job you could hold with these restrictions and life does not look so pleasant. Even working at Taco Bell requires the use of computerized registers. Telemarketing and other menial tasks that once were viable methods of income also go away. Jobs that consist mostly of physical labor become about the only option left to you. Don't forget, many companies will not hire convicted felons, even for physical labor.

Court ordered restitution will be a new world of difficulty. Many people fail to realize that not only are restitution amounts fairly significant, but they must be paid back in a timely fashion. Oh yeah, remember that you are not likely to hold a job that pays more than six bucks an hour. So how much is US$50,000 when it comes down to it? Consider that you might be able to earn US$25,000 a year if you are fortunte. Giving up your entire salary would allow you to pay it off in two years. If you can live off of US$15,000 (poverty level), you could then pay back the restitution in only five years. Five years of living at a poverty level.

Is defacing a web page and putting up a message "hackerX 0wnz j00" REALLY worth it?


Investigating Agencies

After the previous article, many people wrote in to add more information regarding the various agencies that investigate computer crime. Using reader feedback and a little more searching, I have compiled a better profile of each agency that covers computer crime as well as their jurisdiction. Once again, please mail me if you have further information, or find error in the material below.


Federal Bureau of Investigations (FBI)
http://www.fbi.gov
Jurisdiction: Computer crime involving the crossing of U.S. state lines

More information: http://www.fbi.gov/pressrm/congress/97archives/compcrm.htm

In February 1992, the FBI completed an assessment of the national computer crime problem and established the National Computer Crimes Squad (NCCS) in the Washington D.C. field office. The NCCS was staffed with Agents knowledgeable and competent in computer systems who were available to investigate computer crimes throughout the United States. In view of the fact that many computer crimes are international in scope, the FBI planned and hosted the first International Computer Crimes Conference in Charleston, S. C. , in May 1992, which was attended by investigators from seven countries.

Also in 1992, the FBI established the Computer Analysis and Response Team (CART). CART is a specialized group of forensic examiners with the technical expertise and resources to examine computers, networks, storage media and computer-related materials in support of FBI investigations.

The FBI is creating computer investigation teams in each of its 56 field offices that will respond to computer incidents within their geographical area of responsibility.

The FBI has established the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) with the mission of managing computer investigations and infrastructure threat assessment matters. On July 15, 1996, President Clinton signed Executive Order 13010 establishing, on an interim basis, an Infrastructure Protection Task Force (IPTF) within the Department of Justice, chaired by the FBI. The IPTF includes representatives of the Department of Defense, National Security Agency and other agencies. A unit within CITAC performs analysis and manages the FBI's coordinating role in the IPTF. The CITAC Watch Office proactively monitors threats to the U.S. Critical Infrastructures, provides front-end analysis of threats, and acts as a Crisis Action Team. CITAC manages the FBI's computer-related investigations and provides advice and assistance to all investigations within the FBI that involve the computer as a tool for committing a crime.

Computer and Internet crimes are investigated by the FBI utilizing many criminal statutes under our jurisdiction. The Computer Fraud and Abuse statute was amended during the prior Congress and is a comprehensive tool to address computer crimes. Internet crimes conducted to defraud consumers are addressed with myriad statutes including Fraud By Wire, Mail Fraud, Interstate Transportation of Stolen Property, and Money Laundering to name only a few. Other computer related crimes involving Intellectual Property can be addressed utilizing Copyright laws and the recently enacted Economic Espionage statute.


Defense Criminal Investigative Service (DCIS)
http://www.dodig.mil/DCIS/index.html
Jurisdiction: Computer crime occuring against Department of Defense computers

More information: http://www.dodig.osd.mil/DCIS/mission.htm

The DCIS mission is to detect, investigate and prevent fraud waste and abuse committed against or within the Department of Defense, involving its programs, operations and assets, and to address other matters as directed.

More information: http://www.dodig.osd.mil/

The Department of Defense (DoD) Inspector General serves as an independent and objective official in DoD responsible for conducting, supervising, monitoring and initiating audits and investigations relating to the programs and operations of the DoD. The Inspector General provides leadership and coordination and recommends policies for activities designed to promote economy, efficiency, and effectiveness in the administration of, and to prevent and detect fraud and abuse in, such programs and operations. The Inspector General is also responsible for keeping the Secretary of Defense and the Congress fully and currently informed about problems and deficiencies relating to the administration of such programs and operations and the necessity for, and progress of, corrective action.


NASA Office of the Inspector General (NASA OIG)
http://www.hq.nasa.gov/office/oig/hq/
Jurisdiction: Computer crime occuring against N.A.S.A. computers

More information: http://www.hq.nasa.gov/office/oig/hq/mission.html

Public Law 95-452, known as the Inspector General Act of 1978, created independent audit and investigative units, called Offices of Inspector General (OIGs) at 61 Federal agencies.

The mission of the OIGs, as spelled out in the Act, is to:
The NASA OIG serves as an independent and objective audit and investigative organization to assist NASA by performing audits and investigations. The OIG prevents and detects fraud, waste and abuse and assists NASA Management in promoting economy, efficiency, and effectiveness in its programs and operations. The OIG auditors and agents are located at NASA Headquarters and all NASA Centers.


Air Force Office of Special Investigations (AFOSI)
http://www.dtic.mil/afosi/
Jurisdiction: Computer crime occuring against Air Force computers

More information: http://www.defensedaily.com/progprof/usaf/Air_Force_Office_of_Special_I.html

The United States Air Force Office of Special Investigations is a field operating agency with headquarters at Bolling Air Force Base, Washington, D.C. It has been the Air Force's major investigative service since August 1, 1948.

Mission

The primary responsibilities of the Air Force Office of Special Investigations are criminal investigative and counterintelligence services. The organization seeks to identify, investigate and neutralize espionage, terrorism, fraud and other major criminal activities that may threaten Air Force and Department of Defense resources. AFOSI provides professional investigative service to commanders of all Air Force activities.

Personnel and Resources

AFOSI has about 2,000 personnel, of whom two-thirds are special agents. Eighty-eight percent of the special agents are military and 12 percent are civilian. AFOSI consists of seven regional offices, seven overseas squadrons and more than 160 detachments using a worldwide network of agents at all major Air Force installations and a variety of special operating locations.


Naval Criminal Investigative Service (NCIS)
http://www.ncis.navy.mil/
Jurisdiction: Computer crime occuring against Navy computers

The Naval Criminal Investigative Service (NCIS) is a worldwide organization responsible for conducting criminal investigations and counterintelligence for the Department of the Navy and for managing naval security programs.

More information: http://www.ncis.navy.mil/about.htm

Like all other elements of the Department of Defense (DoD) and the Department of the Navy (DoN), NCIS has had to bear its share of personnel and budget cuts, too. For example, in 1991, NCIS had 2,281 total personnel including 1,167 special agents assigned to more than 200 offices worldwide. Today, NCIS has 1,603 personnel of whom 877 are civilian special agents assigned to 150 offices worldwide. In addition, 51 military agents, mostly from the Marine Corps, are assigned to NCIS.

Despite these and other changes, however, the NCIS mission remains the same -- "To Protect and Serve" the men and women of the Navy and Marine Corps, their families and DoN civilian employees by conducting felony criminal investigations and counterintelligence for the Department of the Navy, and managing Navy security programs.


U.S. Army Criminal Investigation Command (USACIDC)
http://www.belvoir.army.mil/cidc/
Jurisdiction: Computer crime occuring against Army computers

As the Army's primary criminal investigative organization, the "CID" is responsible for the conduct of criminal investigations in which the Army is, or may be, a party of interest. Headquartered at Fort Belvoir, Virginia and operating throughout the world, the CID conducts criminal investigations that range from death to fraud, on and off military reservations, and, when appropriate, with local, state and other federal investigative agencies. We support the Army through the deployment, in peace and conflict, of highly trained soldier and government service special agents and support personnel, the operation of a certified forensic laboratory, a protective services unit, computer crimes specialists, polygraph services, criminal intelligence collection and analysis, and a variety of other services normally associated with law enforcement activities.

More information: http://www.lewis.army.mil/6thcid/cidhist1.htm

The U.S. Army Criminal Investigation Command (USACIDC) was organized as a major command of the Army to provide investigative services to all levels of the Army. Using modern investigative techniques, equipment and systems, USACIDC concerns itself with every level of the Army throughout the world in which criminal activity can or has occurred. Unrestricted, CID searches out the full facts of a situation, organizes the facts into a logical summary of investigative data, and presents this data to the responsible command or a United States attorney as appropriate. The responsible command or the U.S. attorney then determines what action will be taken. Ultimately, the commander of USACIDC answers only to the Chief of Staff of the Army and the Secretary of the Army.


Royal Canadian Mounted Police (RCMP)
http://www.rcmp-grc.gc.ca/frames/rcmp-grc1.htm
Jurisdiction: Computer crime occuring against Canadian computers

The Royal Canadian Mounted Police (RCMP) works with communities to ensure the safety of all Canadians. It enforces federal laws, provides contract policing to most provinces, many municipalities and First Nations communities. The RCMP participates in peacekeeping efforts and supplies world-leading expertise in areas like forensics and criminal intelligence to Canadian and international police.

More information: http://www.rcmp-grc.gc.ca/html/cpu-cri.htm

There are RCMP Commercial Crime Sections is every major city in Canada. Each one of these units has at least one investigator who has received specialized training in the investigation of computer crimes. These investigators are supported by the RCMP Computer Investigative Support Unit (CISU) located at RCMP Headquarters in Ottawa. CISU can provide technical guidance and expertise to all Canadian police departments and federal government agencies in relation to computer and telecommunication crime investigation.

The Criminal Code of Canada and the Copyright Act contain provisions that deal with computer and telecommunication crime.


Defense Computer Forensic Laboratory (DCFL)
http://www.dcfl.com
Jurisdiction: Forensic/Technical support for DOD computer crime investigation
The Department of Defense Computer Forensics Laboratory provides digital and analog evidence processing (analysis and diagnostics) for DoD counterintelligence, criminal, fraud investigations, operations and programs. The DCFL sets DoD standards in digital and analog forensic analysis. The Lab develops and manages DoD forensic media analysis research and development projects. Also, conducts liaison with counterpart law enforcement, computer security and intelligence agencies.


Appendix A - Search and Seizure Warrant


UNITED STATES DISTRICT COURT
District of Arizona

In the matter of the Search of
(Name, address or brief description of person or property to be searched)

                                                       SEARCH WARRANT
12345 EAst Hacker Street
Apt. 866                                    Case Number: 98-5887MB
Phoenix, Arizona


   TO: Bill F. Scrotum, III and any Authorized Officer of the United States
Affidavit(s) having been made before me by affiant, Bill F. Scrotum, III, who has reason to believe that /_/ on the person of or /X/ on the premises known as (name, description and/or location)

SEE ATTACHMENT A.

in the District of Arizona there is now concealed a certain person or property namely (describe the person or property)

SEE ATTACHMENT C.

I am satisfied that the affidavit(s) and any recorded testimony establish probably cause to believe that the person or property so described is now concealed on the person or premises above-described and establish grounds for the issuance of this warrant.

YOU ARE HEREBY COMMANDED to search on or before _______12-20-98__at__11:15a.m.________
                                                               Date

(not to exceed 10 days) the person or place named above for the person or property specified, serving this warrant and making the search (in the daytime 6:00a.m. to 10:00p.m.) (at any time in the day or night as I find reasonable cause has been established) and if the person or property be found there to seize same, leaving a copy of this warrant and receipt for the person or property taken, and prepare a written inventory of the person or property seized and promptly return this warrant to _____United States Judge or Magistrate Judge_____ as required by law.






______12-14-1998__@__11:16_a.m._____   at   __Phoenix, Arizona_____________
Date and Time Issued                        City and State

___Lawrence O. Somebody_____________        __(signature)__________________
Name and Title of Judicial Officer          Signature of Judicial Officer


Appendix B - Search and Seizure Warrant, Attachment A (apartment)

ATTACHMENT A

12345 EAST HACKER STREET
APARTMENT 866
PHOENIX, ARIZONA

12345 East Hacker Street, Phoenix, Arizona, (between Hacker Street and Federal Avenue) is a two-story, residential apartment building, with brown stucco and siding and a brown shingle roof, consisting of approximately 8 residential apartments. Apartment 866 (the "FIRST PREMISES") is on the second floor of the building; the number "866" appears beside the door to the FIRST PREMISES.



Appendix B - Search and Seizure Warrant, Attachment A (colocated machine)

ATTACHMENT C

TWO COMPUTERS OWNED BY JOHN Q. HACKER
MAINTAINED AT THE OFFICES OF BUSINESS COMMUNICATIONS
2000 SOUTH MAIN STREET, SUITE 800,
PHOENIX, ARIZONA

One white "Sun Sparc Station" brand computer, and one personal computer (collectively, the "SECOND PREMISES"). The latter of these two computers has several stickers on it: a "Linux Inside" brand sticker, a sticker which reads "For Unofficial Use Only," a bumper-style sticker which reads "REMAIN WHERE YOU ARE WHILE VEHICLE IS IN MOTION," and a round sticker which has a caricature of a space alien face on it. Both computers are located in the business premises of Business Communications (located at the above-referenced address) on a steel rack in the vicinity of other computers.


Appendix D - Search and Seizure Warrant, Attachment C

ATTACHMENT C

THE PREMISES KNOWN AND DESCRIBED AS 12345 EAST HACKER STREET, APT. 866, PHOENIX, ARIZONA


Records, documents, programs, applications, and materials which reflect hacking activities, including copies of software, data, and information; hacking tools and programs; computerized logs; electronic organizers; account names; passwords; encryption codes, algorithms and forumlae; personal diaries; books, newspaper, and magazine articles concerning hacking; exploits and other hacking programs; and computer or data processing literature, including printed copy, instruction books, papers; or listed computer programs, in whole or in part; computers; central processing units; external and internal drives; external or internal storage equipment or media; terminals or video display units; optical scanners; computer software; computerized data storage devices, including data stored on hard disks or floppy disks, computer printouts or computer programs; computer or data processing software or data, including: hard disks, floppy disks, cassette tapes, video cassette tapes, and magnetic tapes, together with peripheral equipment such as keyboards, printers, modems or acoustic couplers, automatic dialers, speed dialers, programmable telephone dialing or signaling devices, fax machines (and data included therein), telephone blue boxes, and magnetic tapes which could contain or be used to transmit or store any of the foregoing records, documents, and materials; indicia of occupancy or tenancy including: bills, letters, invoices, shipping records, and rental or leasing agreements which tend to show ownership, occupancy or control; records documents, and materials which refer, relate to, or are for use in, computer hacking. As used herein, the term records, documents, and materials includes records, documents, and materials created, modified or stored in electronic or magnetic form and any data, image or information that is capable of being read or interpreted by a computer; and other items containing or reflecting evidence of violations of unauthorized intrusion into computers, in violation of Title 18, United States Code, Sections 371 and 1030.



Appendix E - Warrent for Arrest
                        UNITED STATES DISTRICT COURT

                       EASTERN DISTRICT OF CALIFORNIA

UNITED STATES OF AMERICA                        WARRANT FOR ARREST
     v.
JOHN HACKER  (DOB: 11/22/81)                    CASE NUMBER: 99 M 823

TO:   The United States Marshal
      and any Authorized United States Officer

                YOU ARE HEREBY COMMANDED to arrest JOHN HACKER and bring him
forthwith to the nearest magistrate to answer a Criminal Complaint charging
him with intentionally obtaining information from protected and United
States computers by unathorized access, and malicious interference with a
United States communication system, in violate of Title 18, United States
Code, Sections 1030(a)(2)(B) AND (C), and 1362.

James F. Brakel                         United States Magistrate Judge
Name of Judicial Officer                Title of Issuing Officer

August 30, 1999, at Carlsbad, CA        _________________________
Date and Location                       Signature of Issuing Officer(signed)



***PAGE 1****

                        UNITED STATES DISTRICT COURT
                       EASTERN DISTRICT OF WISCONSIN

UNITED STATES OF AMERICA                 CRIMINAL COMPLAINT
             v.
JOHN HACKER  (DOB: 11/22/81)                    CASE NUMBER: 99 M 823

                I, FRED F. WHITE, the undersigned complaintant being duly
sworn state the following is true and correct to the best of my knowledge
and belief.  On or about April 1, 1999 in Orange County, in the State and
Eastern Disctrict of California, JOHN HACKER, the defendant herein, did
intentionally access a computer without authorization and did exceed
authorized access, thereby obtaining information from a protected computer
and from the United States Army, a department of the United States; and did
willfully and maliciously interfere with the working and use of a
communication system operated and controlled by the United States, and used
for military functions of the United States, and did willfully and
maliciously obstruct and delay the transmission of communications over such
system,

in violation of Title 18, United States Code, Sections 1030(a)(2)(B) and
(C), and 1362.

I further state that I am a Special Agent with the United States Army
Criminal Investigative Command, and that this complaint is based on the
following facts:

Please see the attached affidavit of Special Agent Fred F. White.

                                                     ______________________
                                                   Signature of Complainant
                                                              Fred F. White

Sworn to before me and subscribed in my presence,

August 30, 1999                         at Carlsbad, California
Date                                    City and State

The Honorable James F. Brakel
United States Magistrate Judge          ______________________
Name & Title of Judicial Officer        Signature of Judicial Officer





                                 Affidavit

                I, Fred F. White, being duly sworn, states that:

                1. I have been a Special Agent with the United States Army
Criminal Investigative Command (USACIDC) for approximately 9 years.  I am
currently assigned to the Computer Crimes Resident Agency.  I have recieved
specialized training for that assignment, including training in the
forensic recovery of digital evidence at the Federal Law Enforcement
Training Center (U.S. Treasury), training in computer intrusion
investigations conducted by the Federal Bureau of Investigation, and
Defense Department training in the computer-related crimes and computer
operating systems.

                2. I make this affidavit in part from personal knowledge
based on my participation in this investigation and my review of documents,
and in part on information gained through my training and experience.  In
particular, I have relied on information providfed by FBI Special Agent
Michael Serlsen and Charles Frad, both of whom have been involved in a
pending investigation of a group of computer hackers known as "Script Kids
United".

                3.  The Internet, something referred to as the World Wide
Web (WWW), is a collection of computers and computer networks which are
connected to one another via highspeed date links and telephone lines for
the purpose of sharing information.  Connections between Internet computers
exist across state and international borders.  Information sent between
computers connected to the Internet frequently crosses state and
international borders, even if those computers are in the same state.

                4.  An Internet Server Provider (ISP) is a business that
provided access to the Internet.  Services provided by an ISP include
computer accounts, Internet access, electron mail (E-Mail), shell accounts
(computer accounts on a computer running the UNIX operating system),  and
dial-up connection to the Internet via a telephone line and a modem.

                5.  A modem is a device which converts digital signals into
analog signals for transmission over telephone lines, and analog signals
back into digital signals.  This allows computers to communicate via
telephone lines.  A modem in a computer can be used to "dial-up", via
telephone, and connect to a computer located at an ISP.  This connection
process is one method of accessing the Internet via an ISP.

                6.  Computers connected to the Internet are identified by
addresses.  Internet addresses take on several forms including Internet
Protocol (IP) addresses, Uniform Resource Locater (URL) addresses, and
domain names.  Internet addresses are unique and each can be resolved
through recovery and identification techniques, to identify a physical
location and a computer connection of a particular address.  When an ISP
customer connects to the internet through the ISP, the customer is assigned
a unique IP address by the ISP for that entire on-line session.

                7.  Computers use user identities (user IDs) or accounts to
identify specific computer users.  Users of a computer are assigned a
unique account/user ID which is protected from unauthorized access by a
password.  Access to the computer and its resources can be regulated by a
systems adminstrator for each individual account.  The highest level of
authorization on a computer is the root or super user account which is
granted unrestricted access to all computer functions and resources.

                8.  Log Files are computer files containing information
regarding the activities of computer users, processes running on a computer
and the activity of computer resources such as networks, modems and
printers.  Log files are used to identify unathorized uses of computer
resources.

                9.  A Computer Hacker is an individual who obtains
unathorized access or exceeds his authorized access to a computer.

                10.  A back door is a computer intrusion term which is
defined as: an intrusion tool, an unathorized computer account, or an
account which exceeds authorized access and is left by an intruder after an
intrusion as a means for gaining unathorized access to a computer at a
later time.

                11.  A network is a series of points connected by
communications channels.  The switched telephone network is the network
normally used for dialed telephone calls.

                12.  A server is a computer connected to a network which
provides a particular service to other devices; for example a print server
managers a printer and an e-mail server managers electronic mail.

                13.  The Internet Relay Chat (IRC) is a collection of
sserver computers on the Internet which allow IRC users to communicate or
"chat" with other users of IRC.  Users on IRC, called IRC Clients, access
the IRC servers using IRC Client software programs.  IRC users communicate
in public and private environments called "chat rooms."  IRC users are
identifed by a unique nickname and an Internet address.  IRC Client
software programs can be used to identify users.  IRC is considered to be a
public communication forum with no expectation of privacy for conversations
which occur in public "chat rooms."  The computer servers which make up the
IRC network are protected computers since they are used to conduct
interstate communications.


Summary of John Hacker Investigation

                14.  On and around June 13, 1999, FBI special agents
executed a series of search warrants at various locations around the United
States.  The search warrant applications detailed the conspiratorial
activities of a group of hackers known as Script Kids United.  The objectives of
the conspiracies included unathorized intursions into computer systems,
credit card fraud, and the fradulent use of telecommunication services.

                15.  On or about June 18, 1999, FBI Special Agent Michael
Serlsen applied for and obtained a search warrant for the residence of
John Hacker, more particularly described in the caption of this
application.  His application and supporting affidavit established probable
cause that certain evidence and instrumentalities of violates of Title 18
United States Code, Sections 371, 1029(a)(2), 1030(a)(2)(C), 1030(a)(5)(A),
1030(a)(6) would be found at the residence.  The application was based in
part on information provided by two of the targets of the Global Hell
searches referred to in the previous paragraph.  Not all the information
provided by the two subjects has been verified, and some of it is believed
to be unreliable.  The following is a summary of the information provided
about Davis:

                Information from Target #1:

                a. The members of the conspiracy who were involved with
most of the hacking were John Hacker,    a.k.a. "statd kid," and John
Vranapelly, a.k.a. "JaVa", "winkid", and "sphincter".

                b. These two persons founded a hacker group called
"Script Kids Unite", a.k.a. "SKU".

                c. The group is a product of the hacker group known as
"Big Kids With Toys".

                d. Both Hacker and Vranapelly would coordinate attacks on
different sites by communicating with other hackers on internet
chat channels.

                e. These individuals bragged of hacks they had performed.
When one member of the conspiracy  had difficulty hacking into the
system, members of the conspiracy would work together to direct
attacks in order to penetrate these sites.

                f. Hacker previously lived in Syracuse, New York but had
moved sometime in 1999 to a new apartment in Carlsbad,
California.  The phone number for the apartment is (720) 555-8362.


                Information from Target #2:

                a. "JaVa" was one of the co-founders of the computer
hacker group known as Script Kids Unite.

                b. "statd kid" lives in Carlsbad, California, and has a
first name of John.

                c. "statd kid" has used a "Cold Fusion" program to attack
system vulnerabilites.  This program searched for vulnerabilites in
window-based programs and allows the initiator to enter the computer
system via a back door.

                d. Target #2 searched the domain registered to "SKU" , which
Statd Kid set up.  The name was listed to 678 Norse Drive
Apartment 44, Carlsbad, California.  Special Agent Frad duplicated
the search and confirmed this listing.

                e. Statd Kid told Target #2 about hacks he has done which
include, but are not limited to:
                                1.  www.one.com
                                2.  www.two.com
                                3.  www.three.com
                                4.  www.four.com
                                5.  www.five.com
                                6.  www.six.com
                                7.  www.seven.com
                                8.  www.eight.com
                                9.  www.nine.com
                                10. www.ten.com

                16. On  June 9, 1999, FBI Special Agent Serlsen and others
executed the search warrant at the residence of John Hacker, and seized among
other things, Hacker's computer.  I have just begun the process of searching
a copy of the computer's storage media.  I have discovered the Cold Fusion
software necessary to accomplish the intrusion described in paragraph 18,
below.  After the search of the residence, SA Serlsen interviewed Hacker,
who admitted to being a member of Script Kids United and admitted hacking into web
sites listed above, but claimed had not done any hacking since January of
this year.

                17. The United States Army maintains a number of web sites
intended to provide information to both the public and Army personnel, who
can use various sites for work-related purposes.  The web sites are
maintained in a network of computers.  The main web site is www.army.mil.
The web site includes links to other U.S. Army web sites, some of which are
non-public, that is, that can be accessed only by authorized users with
user ID's and passwords.

                18. On July 3, 1999, between approximately 1:35 a.m. and
5:23 a.m. (CST), an unknown hacker gained unauthorized root access to an
unclassifed U.S. Army web server located in the Pentagon, Washington D.C.
The intruder replaced the opening web page with an altered web page
containing a hacker signature from a group calling themselves "Script Kids
United".  As a result, no one could utilize the web site for any of its
intended purposes until it was repaired.  Further, the unknown intruder
turned off system auditing services in an attempt to prevent any detailed
record of the incident.  The intruder also downloaded event log files,
modified them to cover his intrusion, and then uploaded them to replace
accurate logs with the altered version.  A thorough review of the system by
system administrators revealed a recently publicized vulnerability was used
to modify the opening web page and subsequently turn off logging.  A review
of external logs revealed the intruder accessed the server through an
internet service provider (ISP) located in Carlsbad, California.

                19. Logs maintaned by the ISP in Carlsbad show that the
intruder used and unathorized ISP account which has been in existence for a
period of about two years without their knowledge.  Further, the intruder
utilized the ISP between 10:42 p.m. July 18 and 05:23 a.m. July 28, 1999
(CST) which encompassed the time frame the US Army Web server was accessed.

                20. Telephone records maintained by the communications
carrier for the Carlsbad area show that beginning at approximately 10:01
p.m. on July 27, 1999, telephone numnber (720) 555-3723, subscribed to in
the name of John Hacker at the premises described in the caption to this
application, was used to place a call to the ISP referred to above.  The
call lasted approximately 4 hours.



Appendix F - Indictment
                        UNITED STATES DISTRICT COURT
                       EASTERN DISTRICT OF WISCONSIN
__________________________________________________________________________________

UNITED STATES OF AMERICA
                                Plaintiff,
                  v.
JOHN Q. HACKER,
                               Defendant.

Case No. 99-Cr-432
__________________________________________________________________________________
                                 INDICTMENT

        __________________________________________________________________________________

THE GRAND JURY CHARGES:

                                 Count One:

                On or about April 1, 1999, in Central County, in the State
and Eastern District of New Mexico, and elsewhere,

                               JOHN Q. HACKER

intentionally accessed a computer through an interstate communication and
in a matter that exceeded authorized access, and thereby obtained
information from the United States Navy, a department of the United States
and from a protected computer; in that the defendant did gain access to the
non-public portion of a United States Navy computer and by such access was
able to obtain information about the computer.

                All in violation of Title 18, United States Code, Section
1030(a)(2)(B) and (C).


THE GRAND JURY FURHTER CHARGES:

                                 Count Two:

                On or about April 1, 1999, in Central County, in the State
and Eastern District of New Mexico, and elsewhere,

                               JOHN Q. HACKER

intentionally and without authorization accessed a non-public computer used
by the United States Army, a department of the United States, and did
thereby affect the use of such computer by the government of the United
States; in that the defendant gained unauthorized access to a United States
Army website server (a networked computer), intended to be used by both the
public and United States Army personnel, and then altered that server in
such a away that it could not be used by the United States Army personnel
at all untill it was repaired.

                All in violation of Title 18, United States Code, Section
1030(a)(3).


THE GRAND JURY FURHTER CHARGES:

                                Count Three:

                On or about April 1, 1999, in Central County, in the State
and Eastern District of New Mexico, and elsewhere,

                               JOHN Q. HACKER

intentionally accessed a protected computer without authorization and as a
result of such conduct, recklessly caused damage; in that the defendant
gained unathorized access to a United States Army website server intended
for the use by the public and Army personnel, and altered the server in
such a way that it could not be used for its intended purposes until it was
repaired; the server ultimately had to be replaced.

                All in violation of Title 18, United States Code, Section
1030(a)(5)(B).


THE GRAND JURY FURHTER CHARGES:

                                Count Four:

                On or about April 1, 1999, in Central County, in the State
and Eastern District of New Mexico, and elsewhere,

                               JOHN Q. HACKER

did willfully and maliciously interfere with the working and use of a
communication system operated by the United States, and used for military
functions of the United States, and did willfully and maliciously obstruct
and delay the transmission of communications over such system; in that the
defendant gained unauthorized access to a United States Army website server
used in part to communicate information to Army personnel, and altered the
server in such a way that it could not be used at all for this intended
purpose until it was repaired.

                All in violate of Title 18, United States Code, Section
1362.


                                                       ____________________

                                                         FOREPERSON(SIGNED)

                                                       ____________________

                                                              DATE(4-01-99)

___________________
WILLIAM A. WALBERGG(SIGNED)

United States Attorney



Appendix G - USDOJ Press Release

http://www.usdoj.gov/opa/pr/1999/August/387crm.htm

     FOR IMMEDIATE RELEASE

     CRM

     MONDAY, AUGUST 30, 1999

     (202) 514-2007

     WWW.USDOJ.GOV

     TDD (202) 514-1888

              WISCONSIN HACKER CHARGED WITH MILITARY BREAK-IN

     WASHINGTON, D.C. - One of the founders of a hacker group called "
     Global Hell" was arrested and charged today in a federal
     complaint alleging he hacked into a protected U.S. Army computer
     at the Pentagon, and maliciously interfered with the
     communications system, the Justice Department announced.

     The defendant, Chad Davis, 19, of Green Bay, Wisconsin, was also
     know as "Mindphasr," according to an affidavit filed in U.S.
     District Court in Green Bay. Davis was a founder of the hacking
     group also called "GH."

     The complaint alleges that Davis gained illegal access to an Army
     web page and modified its contents. Davis is also alleged to have
     gained access to an unclassified Army network, removing and
     modifying its computer files to prevent detection.

     U.S. Attorney Thomas P. Schneider said, "even though the
     intrusion involved an unclassified Army computer network, the
     intruder prevented use of the system by Army personnel.
     Interference with government computer systems are not just
     electronic vandalism, they run the risk of compromising critical
     information infrastructure systems."

     Schneider noted that, as alleged in the complaint, the intruder
     was the subject of an FBI-executed search warrant earlier this
     year. In spite of that, it appears the defendant continued to
     gain unlawful access to computer networks.

     The investigation which led to these charges against Davis was
     conducted jointly by the U.S. Army Criminal Investigation Command
     and the Federal Bureau of Investigation. The case is being
     prosecuted by Assistant U.S. Attorney Eric Klumb.


Special thanks to:

Brian Martin (bmartin@attrition.org)
Copyright 1999